Study Says Many Android Vendors Regularly ‘Forget’ Security Patches

If you believe your Android phone is receiving regular security updates from the manufacturer, you could be sadly mistaken, according to a new study from a Berlin-based IT security research firm.

Researchers with Security Research Labs studied Android devices from numerous companies and found what they call a hidden patch gap, with large numbers of manufacturers regularly failing to update device security. They said that failure exposes the Android ecosystem to risks despite recent patch improvements, leaving devices susceptible to remote exploits.

Google’s Android is the world’s leading mobile operating system, with more than 2 billion users around the world. It’s also supported by a far more diverse system of manufacturers and developers than its rival, Apple’s iOS, which contributes to much more uneven security practices.

Patch Claims Need ‘Independent Verification’

Researchers Karsten Noll and Jakob Lell presented their findings today at the HITB security conference in Amsterdam. They said they took a “novel analysis approach” to look for missing seurity updates on a wide range of Android devices, and discovered that most vendors “regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.”

Among the companies whose devices they tested, Google, Sony, Samsung, and Wiko came out on top, with zero or just one patch typically missing. TCL and ZTE, by contrast, landed on the bottom of their list, with more than four missed patches on their devices.

Noll and Lell’s findings contradict the claims by many Android device makers that they roll out regular updates to fix vulnerabilities identified by Google’s monthly Android security bulletins. The researchers said users should seek independent verification that their devices are regularly patched, and developed an app called SnoopSnitch for that purpose. SnoopSnitch is available as a free download through the Google Play Store.